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“iver Research motivation 


¢ Trajectory based operations (TBO) is an instrumental 
concept in the NextGen initiative 


¢ In order for the TBO concept to be realized, there will 
be a “fundamental shift in ATM” (FAA, 2014): 
— Narrower tolerances (FAA, 2014) 
— More precise trajectories 
— Strategic vs tactical 


e System resilience is critical 
— TBO system must be able to gracefully degrade to maintain 
Safe operations 
¢ Knowledge of the causes and mitigations of 
degradation in TBO must be understood 
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‘one Literature review 


¢ Aims: 
— Identify causes of degradation in ATC and associated 
solutions 
— Identify the role of ATCOs in a gracefully degrading system 


— Develop a framework of graceful degradation from the 
literature 


¢ Expected outcomes 


— Identify causes of degradation and associated solutions 
applicable to TBO 


— Identify literature gaps and inform future research 


— Implications for ecologically valid understanding of 
eraceful degradation of TBO systems 


we Framework of graceful 
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Identification Prevention and mitigation of degradation: Post-degradation: | Output - 
Degradation cause ° Preventative measures to generate graceful degradation Recovery 
¢ Active at different stages 


System Environment Human Operator 
fault or events (Air traffic 
failure controller) 


Graceful 
degradation 


System design Envrionment Human Operator Predominantly 
e.g. e.g. e.g. human operator 


¢ Fault tolerance ¢ Airspace design * Training 
e Redundancy ¢ Traffic flows ¢ Human-centered Can be supported 
¢ Automation ¢ CONOPS interface design by all previous 
¢ Procedures ¢ Decision support pre-degradation 
tools measures 


_ = Causes: System fault/ 
failure 


UNIVERSITY 
¢ Widest range of literature 


¢ Primarily focuses on CNS _ 
— Failure can be full system or partial, such as specific algorithms 


¢ Several categorizations documented, although no 
consistent agreement 


¢ Causes of hardware failure 
— Physical damage 
— Aging 
— Accidental/malicious interference 
¢ Software failure 
— Modelling errors 
— Integration of independent ATC software 


e Legacy technology and new technology 
¢ Technology with competing goals 
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aves Causes: Off-nominals 


¢ Airspace design > a 
— Number and type of conflict points ines 
— Size of available airspace — 


— Complexity can increase ATCO demand, which may put performance at greater 
risk 


Numan operator 
(Air traffic 
controller} 


¢ Imprecision/uncertainty 


¢ Off nominal events 
— Aircraft emergencies 
— Medical emergencies 
— Unexpected pilot actions 


e Weather 


— Widely researched 

— Leading cause of aircraft delay 

— Weather avoidance routes are pre-planned but real time updates limited 

— Consequences include manual vectoring, re-routing, delay and cancellations 


— Controllers responsible for maintaining safe operations during these 
demanding situations 


\/ 
eS 


sens Causes: Human Operators 
(ATCOs)} 


¢ Least researched in graceful degradation domain 


¢ Human performance influencing factors 
— Task demand and high workload 
— Attention and perception errors 
— Communication errors 
— Procedural error 

¢ Human performance influencing factors resulting 
from use of automation (human-system interaction} 
— Underload 
— Trust 
— Design of automation — transparency and reliability 
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a Identification 


¢ Required prior to prevention or mitigation 
¢ Techniques can be separated into: 
— Identifying potential causes prior to degradation 
— Identifying causes during live operations 
¢ Techniques prior to degradation include: 
— Incident and accident analysis 
— Causal modelling 
¢ Techniques of identification during live operations 
include: 
— System self-monitoring and self-identification 
— System communication to human operator 
— Human operator 
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Achieving graceful degradation: 


System-related solutions 


UNIVERSITY 
¢ Well-documented in the literature 


¢ Bertish et al. (2013) - 18 identified mitigations [x-«* |= 
— 14/18 related to technology design and regulation :Aavorator’ || So 


¢ Hardware/software solutions } } } © _ 
— Failure paths 
— Back up systems 
— Redundancy 


¢ Requirements- based solutions 
— Quality standards 
— Verification and validation 


¢ Technological solutions for environmental and human causes 
of degradation 
— Decision support systems 
— Automation 
— Tools to reduce uncertainty, such as enhanced weather prediction 


_ © Achieving sraceful degradation: 
Environmental solutions _ 


UNIVERSITY 
¢ Literature primarily focuses on 

reducing complexity for ATCOs |e 
¢ Solutions are usually complex einai) EE 


e Airspace redesign 

— Standard traffic flows 

— Flight follow features 

— More efficient reroutes 

— Reduction in complexity — reduction of risk of human error 
¢ Solutions to reduce uncertainty 

— CONOPS 

— Procedures 


_ “© Achieving graceful degradation: 


degrad : ] 
e Preventative measures to generate gre I deg tion degradatio Output 
e Active at different stages == | | Recove ry 
® @ “ 
¢ Contribution of ATCO to graceful | 
e e System design | Environment ir Predominantly 
'e e.g e.g 1UMAN Operato 
eg ra a O rN) S U rN) eC [- re S e a rc eC e Fault tolerance e Airspace design 
e Redundancy e Traffic flows 
e Automation e CONOPS 
+ | e Procedures 


¢ ATCOs maintain safe operations 
through a high standard of performance 
¢ Dominant contribution post-degradation— recovery 
— Role is an on-line defense between safe and unsafe operations 
¢ Significant implications for TBO 


— System fault/failure when ATCOs are controlling more aircraft than 
they could without automation? 


— Framework supports breakdown of this issue 


¢ Need for human — systems integration to support graceful 
degradation in TBO 


— When do ATCOs reach safe limits of performance? 
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“new The Operational envelope 


At edges, due to difficulty, 
complexity, overload etc. 
performance/safety may 
be temporarily 
compromised; but 
situation normally 
recovered before loss of 
separation event 


Normal operations: 
ATC is working 
effectively within this 
workload and 
scenario space 


Here a loss 
of separation 
will occur 
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“waves The Operational envelope 


At edges, due to difficulty, 
complexity, overload etc. 
performance/safety may 


be temporarily 
compromised; but 
Normal operations: situation normally 


Operational 


ATC is working recovered before loss of 
effectively within this separation event 
workload and 

scenario space 


Operational 


maximum 


optimum 


Tolerance 


Here a loss 
of separation 
will occur 


| 
determine the overall 
system envelope , 
| 
| 
| 


| 
| 
Individual envelopes , 
that interact to QW | 
| 
| 
| 


“wwe” CONCIUSIONS & Implications 


¢ Findings 
— Causes of degradation and solutions categorized by systems, environment and 
human operators (ATCOs) 
— Solutions to degradation can be applied pre- or post-degradation 
— Most research on systems, least on role of the ATCO 


— Research dominantly considers ATCO to be responsible for maintenance of 
Safe operations during degradation 


— Noconsideration in current literature of interactions between causes and 
solutions 


¢ Development of graceful degradation framework can be used to: 
— Identify research gaps 
— Identify causes of degradation and solutions 
— Identify interactions 
— Guide requirements for future research 
¢ Human-system interaction approach essential to achieve graceful 
degradation in TBO 


¢ Need to understand limits of system performance AND human 
performance 
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- Next Steps 
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e Literature review completed 
— Paper submitted and accepted to Aviation 2017 
¢ Aims of future work 
Identify causes of degradation in TBO 
Identify the limits of recovery for the human operator 


Cognitive walk- 
through 


Human in the 
loop 
simulations 


¢ Down selection of assumptions 

-Selection of use cases 

eInitial understanding of recovery strategies 
eInitial understanding of limits of recovery 


¢ Identification of human envelope ‘limits’ 
¢ Investigation of human and system 
performance envelope interaction 

¢ Development of solutions to specific TBO 
issue to create graceful degradation 


Future goal 


¢ Propose potential re-design of the system, 
airspace, or human tasks/procedures 
«Monitoring the situation prior to full 
breakdown 

eSupport the recovery phase 


Re-design of 
the system 
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